Recommended Forefront TMG 2010 SSL and TLS Configuration

Last year I wrote an article for ISAserver.org that provided detailed guidance for improving security for SSL and TLS protected web sites using Forefront TMG 2010. Many people have reached out to me recently to ask about enabling forward secrecy, which my original article did not include because, at the time, it was not recommended to enable it. However, as times have changed, it is now recommended to enable forward secrecy so I recently wrote a short post with guidance on how to do that. The post was written with a very narrow scope and addressed only the enabling of forward secrecy for TLS. Many of you have since asked for guidance on overall security best practices with regard to SSL and TLS along with adding support for forward secrecy. In addition to the configuration changes detailed in my original ISAserver.org article, I also recommend the following list of SSL and TLS cipher suites be explicitly enforced using the method outlined here.

Using this configuration, the Forefront TMG 2010 firewall should receive an A rating from the SSL Labs test site (at the time of this writing).

Enabling and supporting the above list of cipher suites will provide the best overall protection and performance for your SSL protected web sites. Note that the list above does not include support for SSL 3.0. If you need to support SSL 3.0 you should add the following cipher suites to the end of the list.

TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

Please note that this configuration may not work with older browsers on old, unsupported operating systems, for example Internet Explorer 6 on Windows XP. Before deploying this configuration in production I would encourage you to conduct some testing with your supported clients to ensure operability.

This has been very useful to us but could it be updated to include the new cipher suites introduced by KB2992611?
I would also find an article explaining why the suites are in a specific order very useful to help me to understand this. I’m assuming the order is Exchange, Encryption and then Hash with each item sorted in descending order?

Thanks for the suggestion Mark. I’ll have a look at that soon and update the article accordingly. To learn more about cipher suites, I’d suggest reading Ivan Ristic’s new book entitled Bulletproof SSL and TLS. You’ll find it includes all the information you’ll need regarding cipher suites and SSL/TLS implementation.

cheers Richard. I see if I can dig it out 🙂 Gotta be worth a read just for the Feisty Duck

Mark Haddon

November 25, 2015 at 7:07 am

Just chancing my hand here in case you have an insight into this but https://www.ssllabs.com/ssltest has started showing a fail of 3. Extra Download under Certification Paths: Path #2: Trusted when scanning SSL sites. We still get an A rating from SSLLabs but PCI scans have failing as Untrusted in the last week? Any ideas?
we get
SSL Certificate – Signature Verification Failed Vulnerability
Exception:
If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature.
Solution:
Please install a server certificate signed by a trusted third-party Certificate Authority.
Result:Certificate #0 CN=REDACTED, OU=Domain_Control_Validated unable to get local issuer certificate